Search

Subscribe

Lousy Electronic Stamp Security in Germany

More and more, we're seeing electronic postage stamps: stamps you can print directly onto envelopes from your printer. This story from Germany illustrates some of the problems when security collides with convenience.

Comments

IIRC, stamps.com and other US electronic postage vendors have a strong incentive to get it right. The USPS charges *them* for each stamp of theirs the system processes. If their security isn't good enough to go back to the customer who bought the stamp, it's not the postal service's problem. Once again, economics does its job.

The system Paypal uses (not sure if this is via stamps.com or what) allows reprinting until the printout is acceptable.
It has a 2D barcode on it, which I'm sure links back to the original transaction. Its unique number gets registered as "used" once it enters the postal stream. If it gets "used" twice, they know who did it and you'll be talking to postal inspectors.

Good point about being able to trace back. In grad school I studied some anonymous digital cash schemes. There are cryptographic properties that can be employed to hide the identity of the user _unless_ the "cash" is double-spent.

This is the same situation you're citing for stamp transactions. Theoretically, the same anonymous-unless-fraudulent technique could be encoded into the printed stamps.

I'm thinking that anonymity on electronic stamps is probably not totally good. It opens up everyone to attack; I could photocopy a bunch of anonymous estamps, put them on a bunch of mail with your return address on it, and drop them in the post office near your house, and you get to talk with the postal inspectors and maybe the secret service. Again, this is no different than using fake normal stamps.

It's a lot harder for me to build a convincing trail back to you with traceable eStamps. To do a good job, I'd have to park near your house and steal your wireless (to get your IP) or work from a public access terminal or wireless hotspot (hopefully one that you are known to use), and know your credit card info.

I haven't read the stamps.com policy. I'm assuming there's limited anonymity; they probably keep records but like an ISP, they will disclose those records only with a warrant. I could easily be wrong; there could be provisions in their contract with the USPS that they have to disclose records on request.

I'd rather keep the anonymity we currently have, and also keep the current vulnerability to forgery, than lose anonymity and gain a forgery protection we don't currently have. I also think that this would be a *very* good application for the kind of blind-signature ecash systems Nyhm mentions.

"It opens up everyone to attack; I could photocopy a bunch of anonymous estamps,"

Why so complicated to attack someone? Write a terror-bomb-copyright-piracy-whatever threatening letter, put my return address on it and drop it in the post office near my house, and I will get more talks with more services than I ever wanted to have...

Yes, it will be obvious for any intelligent person that it is a fake, no sane person would write his own address on it. But once they read the word "TERROR" in it, their brains will malfunction on the instant.

One is a false-positive, where a non-paying customer gets to send a letter. This costs a few pennies a time.

The other is a false-negative, where a paying customer gets his letters rejected. This costs potentially all future business from that customer.

If I were designing this system, I'd want it to fail in the direction of the former situation, not the latter. The problem described in the German system actually sounds like it might in both directions - a customer with printing problems can't send, and an attacker can print to postscript or pdf, and may be able to keep reusing one stamp.

If a stamp is duplicated and returned to the sender, can you write the destination address in the sender space and hope it gets delivered?

It probably allows for spam-like mailings, in which you put the address of the recipients in the sender space and send them for free. Unless the contents identify you, the worst that can happen is that the post office throws them away (or you can use this method to get a third party in trouble by sending something that identifies them).

And if the post office just disposes of the extra letters, if you are a legit user how can you be sure your letter has been delivered?

@aracne: "if you are a legit user how can you be sure your letter has been delivered?"

In general, you can't, even without the problems mentioned here. Letters are more like IP/UDP datagrams with which a "best effort" is undertaken to deliver them. As a plus, in another "best effort" the sender is notified if the delivery fails (and the failure is detected).
Still, no guarantees.

At least in Germany, however, you have the option to choose (= pay for) various levels of certified delivery.
I think "registered mail" is the correct english term.